Recruitment Directory's Blog - Australia's #1 Recruitment Technology Blog!
It has been widely reported online and readers would have known by now that Monster http://www.monster.com
websites have been hacked. Confidential information has been downloaded, maybe malicious scripts have been uploaded, who knows what else has been done. But the question is... WHY? Why has the site been hacked in the first place. We understand that Monster has recently undergone a site upgrade - but still, thatís NO EXCUSE for not protecting confidential information. Letís look at common terminology on the types of computer security incidents, and computer security evaluation methods.
Off the top of my head I can think of at least 10 other job boards/recruitment sites which have failed security testing in the past 6 months. How do I know? I have been the one testing these sites and have found the data.
No... this is not "hacking" but programmers/employees leaving holes in software code, not protecting files (chmod, directory listings, etc) or just have stupidly left files and confidential information online thinking "no one will be able to find it". Well it have found it.
You must be proactive and vigilant with information stored online. Regular site testing and security checks by 3rd party professionals, as well as correct server configuration can help you. Feel free to contact me regarding these website testing services and if you ever recieve an email from me regarding security - take note!Types of Computer Security IncidentsInsider abuse of access
- An employee or person authorised to use the businesses computer system abuses this access, such as downloading a large amount of data, or accessing the internet for personal use against this businesses IT policyTheft or loss of hardware
- Hardware, such as laptops, PDAís (personal digital assistant) or other devices, are lost or stolen and not recovered. Does not include hardware that is damaged or destroyed.Virus or other malicious code
- Software designed specifically to damage or disrupts a system, such as a virus or a Trojan horse. May be either self-replicating or non self-replicating code (any statements and/or declarations that are written in a computer programming language) to change the way a computer operates without the consent or knowledge of the system owner or user. This includes all types of malware (malicious software) except spywareSpyware -
Software designed to collect information from a computer secretly and send it anywhere (eg key loggers) or change settings and interfere with the performance of a compromised computerPhishing
- Assuming the identify of a legitimate organisation or website using forged email, fraudulent websites or other instant messaging communication forums such as MSN, to persuade others to provide information Ė usually personal financial, such as credit card numbers, account user name, passwords, social security numbers Ė for the purpose of using it to commit fraud.Denial of service attack (DOS Attack)
- An attack aimed at specific web sites by flooding the web server with repeated messages, depleting the system resources and denying access to legitimate usersSabotage of network or data
- Intentional destruction of, or damage to, a computer network or to data stored on a network or stand alone computerUnauthorised network access -
Obtaining access to a restricted computer network, without providing adequate credentials such as logon name and passwordTheft or breach of propriety or confidential information
- The unauthorised access to, and/or, use, viewing, duplication, distribution or theft of, propriety or confidential information. Proprietary information is information relating to or associated with the businessís product, business or activities. It includes, but is not limited to items such has trade secrets, research and development and financial information. Incident involving the businessís web application
- Any malicious or destructive incident that involves this businessís website. This might include placing unauthorised information on a website or preventing it from being used as intended.
Corruption of hardware of software
- Damage to computer hardware or software that renders it, in part or in whole, non-operationalCorruption or loss of data
- Damage to or interference with data that renders it, in part or in whole, non-operationalUnavailability of service
- Making the operations of your business either in part or in whole unavailableWeb site defacement
- Damage caused to a public web sites that limits or prevents its intended use
Non-critical operational losses
- A disruption to your business that did not cause suspension or severe damage to your businessís operationsNon-critical financial losses
- Loss of money or value to your business that did not cause a severe negative alteration to your businessís financial stateHarm to reputation
- The reduction in confidence in your business or an increase in negative association with your businessCritical operational losses
- A disruption to your business that caused suspension or severe damage to your businessís operationsCritical financial loss
- Loss of money or value to your business that causes sever negative alteration to your businessís income or assetsComputer Security Evaluation MethodsSecurity audit by internal staff
- A measurable technical assessment of a network, system or application that is carried out by a staff member of the businessSecurity audits by external businesses
- A measurable technical assessment of a network, system or application that is carried out by a person who is not a staff member of the business Ė ie outsource to a consultantInternet content filtering/image filtering or monitoring
- Software or hardware designed for monitoring and limiting access to inappropriate information or data configured according to the organisation security policy. Intrusion detection systems -
Software applications designed to protect backbone services by detecting inappropriate, incorrect, or anomalous activities that cannot usually be detected by a conventional firewall Intrusion prevention systems
- Software or hardware designed to protect computers from exploitation by identifying and blocking potentially malicious activities in real time.System penetration testing
- A method to evaluate the security of a computer, system or network by simulating an electronic attack (ie an attack by a hacker)
System audit policies
- Policies mandating audits of this businessís computers, including issues such as the frequency and type of audits carried out and details of those responsible for undertaking those audits. This is a measurable technical assessment of a network, system or applicationRisk assessment policies
- Policies that govern the type and frequency of risk assessment of this business. Risk assessment is a process where the magnitude of potential loss and the probability it will occur are measured.
Security compliance check -
A form of assessment used to check a variety of security issues in terms of their compliance with a policy or guideline
- The use of software to monitor and report on the status of, and changes to files and settings on individual systems, networks, servers etc. Email monitoring software
- Software that is designed to monitor the email activity of users
Web activity monitoring software -
Software that is designed to monitor the web activity (sites visited, documents viewed) of a specific user or users.Monster Hacked Again; 4.5 Million Records Stolen
(couldn't help but copy a screen shot of the article with paid advertisements for Monster on the right)
Article URL: http://www.recruitmentdirectory.com.au/Blog/monster-hacked-again-plus-information-on-security-terminology-a88.html
Article Tags: Hide Comments (0)